There are an increasing number of services on the Internet that enable peer-to-multi-peer sharing of online content, for example email, social networking websites, and instant messenger services. The content being shared can be for example photos, videos, links to web pages, etc. A common mechanism involves a sharing user providing a link to one or more peer users (“peers”), with a peer clicking the link to download the content. Generally, peers are happy to click the link and access the shared content provided that the link appears to have originated from a trusted sharing user, e.g. friend or colleague.
Unfortunately there are many ways in which these content sharing services can be abused by malicious third parties in order to direct peers to content “owned” by those malicious third parties. Such content might be malicious, e.g. a fake bank website, or may be inappropriate or simply annoying.
Consider for example the social networking website Facebook™. Each user has their own Facebook page on which they can provide “posts”. These posts can comprise, for example, written status updates/messages, shared photos, links, videos etc. The area of the user's Facebook page which contains these posts is known as their “wall”. There are a number of ways in which posts can appear on a user's wall, and FIG. 1 shows a representation of all the potential inputs to a Facebook user's profile wall. FIG. 1 also shows the types of media that are permitted as posts, and the risks that they can lead to. For example, a message, photo or video posted to a user's wall could be inappropriate content, and a link presents the highest number of risks as it could lead to inappropriate content, a drive-by download (a download that happens without a person's knowledge, or with a person's knowledge but without understanding of the consequences), a phishing attack, scams, or spam/unwanted marketing.
Facebook does provide privacy settings which, in the context of content sharing, limit the number of potential inputs to a user's profile wall, and also limit the potential audience that is able to view the posts on the user's profile wall. For instance, a user may only allow friends and friends-of-friends to post on his or her wall, blocking the ability to post from everyone else and applications. The user may also limit who is able to see his or her wall to just friends, for example.
These privacy settings do not provide a good alternative to proper authenticity or security mechanisms. A user may not wish to set high privacy settings, for example, if he or she wants everyone to be able to view and post on his or her wall. Even if high privacy settings are in place, they have no effect if the profile owner's or his/her friend's account is compromised, or if the user is tricked into granting access privileges to a Facebook application.
Abuse of trust and attacks such as those described above can also arise in other peer-to-multi-peer systems, for example email. A user's email account can become compromised, e.g. through a phishing attack, or perhaps due to the user not logging out properly from a public computer. As a consequence, an email which contains a link to unsuitable or malicious content can be sent from the user's email account to his contacts such that it appears to have come from him or her. A web page, e.g. personal or corporate, might also be attacked, replacing valid links with inappropriate links, or introducing new, and inappropriate, links.